3

I have a Red Hat 5.4 server with openssh OpenSSH_4.3p2 and have been trying to setup scp/sftp logs in my server, but I am running into some problems.

I followed the directions in this other post. These work great if the users choose to transfer files using pscp or an SFTP client such as cyberduck, filezilla, winscp, etc. In such cases I am able to know the directory tree that was navigated.

However, if the users choose to do rsync (with scp as protocol) or if they call the scp command explicitly, the only thing that gets logged is event of login/logout. The actual tree navigated to transfer the files does not show up in the log trail.

Is there a way to disable scp while still allowing sftp ? Or is there a way to force scp commands to behave as sftp ?

Maybe this problem does not exist in more recent openssh ports. However, since Red Hat will not release further updates for my 5.4 OS version (and we don't want to upgrade the server) I am stuck with what I have.

Any suggestions ?

Community
  • 1
mmgm
  • 133
  • 5

1 Answers1

6

I'm not sure about logging of SCP. I had a look into this. All scp does is call scp at the other end in a slightly different mode. sshd should be able to log what it execs. From the code it looks like sshd needs LogLevel=DEBUG to write the exec but that's not outputting for me at DEBUG or any higher level (6.1p1). Unfortunately once sshd has executed something the running binary can do whatever it wants underneath, so it would help if the binary also implemented logging. There's no real logging in scp so that would need a patch of some sorts.

This immediately leads my brain to a hack of writing a wrapper for scp to at least get some information.

mv /usr/bin/scp /usr/bin/scp.ori; touch /usr/bin/scp; chmod 755 /usr/bin/scp;

Then put the following in /usr/bin/scp

#!/bin/sh

logger -i -p auth.info "scp ran with [$*]"
/usr/bin/scp.ori "$@"

The script would get wiped out by releases though and it is a little dodgy. You only really see one side of the scp command which can be a bit brief (e.g scp -r user@host:/home/user/ ./ is -r -f /home/matt/ on the host)

It's also worth noting that if people have shell access they can copy whatever they want without using scp or sftp.

< end edit >

It's is possible to force a Subsytem onto a login. The following is for members of the group sftponly that I want to only be able to sftp to a specific chroot location so their users have a shell of /usr/sbin/nologin. I don't think you'll need the more than ForceCommand in sshd config. 

Subsystem       sftp    internal-sftp
Match group sftponly
         ChrootDirectory /pub/user/%u
         X11Forwarding no
         AllowTcpForwarding no
         ForceCommand internal-sftp
         PasswordAuthentication yes

Hopefully you can append your logging and you're away.

Matt
  • 1,537
  • 8
  • 11
  • Thanks for the reply.This means that the users in the sftponly group would not be allowed to ssh into the system right? In my case they must so this does not solve it for me. I just want to make sure I can audit the files that they take home. – mmgm Feb 19 '13 at 17:21
  • @mmgm Maybe it's an option to use two logins per user or two running instances of sshd so that the users change either the login or the port depending on whether they want to login or transfer files. With non-cooperative users this would require the capability to prevent file transfer for normal logins. – Hauke Laging Feb 19 '13 at 18:16
  • @mmgm Once you allow a terminal access (ssh) to the server, the user can take whatever he/she likes. – Martin Prikryl May 25 '15 at 08:31